The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
This really buries the lede. Telecoms are reluctant to do it because 'doing' it isn't aligned with their priorities.
Why would a telecom risk bankruptcy by investing heavily into a system that their competitors aren't?
If you want a back-door to exist (questionable) then the government either needs to have strong regulatory compliance where poor implementations receive a heavy fine such that telecoms who don't invest into a secure implementation get fined in excess of the investment cost or the government needs to fund the implementation itself.
Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
> Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
This is only because of the design defect that "lawful intercept" requires.
Telecoms should be completely untrusted because everything is end-to-end encrypted. Compromising a telecom shouldn't allow you to do anything other than bring about a denial of service, and even that would only be effective against anyone who didn't have a redundant link with a different provider, which all actually critical infrastructure should. And a denial of service is conspicuous, as opposed to spying on required-to-be-unencrypted traffic which can continue undetected indefinitely and is a significant national security risk.
Our need to not be spied on is greater than our need to spy on ourselves and requiring designs that assume the opposite of that is a major self-imposed security vulnerability.
Even if let's say lawful intercept is done away with and calls are end-to-end encrypted, the telco would still be in control of key management and distribution... and if those clowns can't secure lawful intercept, why do you think the key distribution infrastructure would fare any better?
Why should they be in charge of key management? They should be in charge of physical plant and leave all of that to someone else. We should be discontinuing the legacy PSTN and making "phone" an IETF protocol where your "phone number" is user@domain.
Yes there is a lawful intercept system that operates inside telecoms networks, that is an issue.
The other issue is that there is no real security inside said telecoms networks. (side note, there is still fucking SS7 floating about)
Salt typhoon is not "just hijacking lawful intercept" its ability to fuck with the network in a way that is largely undetected. Sure the intercept stuff might help, but they don't actually need that. In the same way we learnt about state actors taking complete control of middle east telecoms systems, we can be fairly sure that other state actors have taken control of USA telecoms systems
Both the Executive and congress have done shit all about it, and will continue to ignore it until something happens
This. The lawful intercept infrastructure is one facet of their network. The rest of their infra is also a deep concern: call records, SS7 signaling, the IP network, mobile infra and it's back end (sim swapping).
How am I confusing the two? My whole point was the same as yours - that the existence of lawful intercept is a separate issue and that the focus should be on securing telecoms.
Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.
I get that you don't like lawful intercept. That's fine. But focusing on only that aspect of telcos derails the conversation and prevents us (in the very broad sense of "us") from making progress on things we all agree on. Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?
A hacker in control of a telco can do as they please regardless of any backdoors or lawful intercept systems. They can just use regular network functions to route calls wherever they want.
> Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?
Yes, because the solutions to both are the same. Decentralized and trustless systems solve both problems is my opinion. I agree the pathway from where we are at now and there is complex, but it's not "bikeshedding" to believe there are fundamentally different and better ways to organize and secure a network that change the attack surface entirely.
(Think of IP layer being replaced with a PKI as a small example)
Nice website, but I feel like calling it "wire wiki" is quite ambitious. Currently, it's a (beautiful) DNS lookup tool, but that's about it. I expected something like RIPE Stat [0], or something like the undersea cable map [1] (based on the "wire" in the name). Also, if you're doing DNS, take a look at resolve.rs [2], they have some nice DNS tools, though not as pretty as yours :)
And since you mentioned scanning the IPv4 address space for DNS servers - I did that as well at a some point for a product I've built (and even have a patent on). The list of servers you're going to get with a naive scanning approach is not what you want. It won't include the servers you probably want (such as the customer-facing DNS servers of ISPs) and will include an insane amount of junk like home routers or weird IoT devices that expose their port 53. Hit me up via the email in my profile if you want to chat.
You're right that it doesn't do the name Wirewiki justice yet. I've got so many things planned to add at some point, much more than just DNS. Check again in 2 years' time ;)
> The list of servers you're going to get with a naive scanning approach is not what you want.
Absolutely right. I'm doing uptime monitoring and a handful of checks (udp/tcp, nxdomain, dnssec, dns filtering) before listing them, but I feel like it could definitely be improved. Would love to talk! I'll send you an email.
Tangentially, the fact that we're still using gigabit connections in our homes and especially offices in 2026 is weird. Gigabit Ethernet is over two decades old, but it's still the most common standard. Both 2.5 and 10 Gbps are effectively niche technologies.
I get it; it's "good enough" in most cases, like USB 2.0. But it still sucks we haven't moved past it.
Isn't Frozen something you do to a set or dictionary to say, I'm not going to add any more values, please give me a version of this which is optimized for lookup only?
You don’t see a difference between a major news outlet from a democratic country which has freedom of speech and an outlet from a religious monarchy which has no notion of free speech or even human rights?
That's usually not the bar though, many who refuse saudi media due to saudi ownership would be completely okay with al jazeera regardless of qatari ownership, even though both countries have very dubious intentions and government system
Saudi Arabia is one of the world leaders by number of death sentences. They have no qualms with putting you to death or giving you life imprisonment for all sorts of things, including "wrong-speech" in the form of leaving the state religion, or opposing the government. The UK isn't some shining beacon of freedom by Western standards, but it's not even in the same universe as Saudi Arabia.
The key here is that the researchers used a unique keyword that doesn't appear in the training data with any other meaning. Hence, the model had no benign associations with it, only malicious ones.
Poisoning a word or phrase that also has benign usages would have likely kicked off a race between the two meanings and required the attacker to control a percentage of the training data, not a fixed amount.
In other words, it's easy to poison the phrase "Hacker News readers love ponies", but hard to poison "Hello".
I'm more curious about what their thoughts are. They have to know what the community thinks about these moves. What do they intend to accomplish? I'd like to hear the roadmap from the lion's mouth, so to speak, if they have some kind of justification that would make sense to the skeptical observer.
It is a command from the top, possibly very top aka CEO. What the community thinks doesn't matter. What matters is how much ad money they earn and how much of your private information they can track.
They used to get money from selling products, like Windows. That we are in this situation where they choose to give the OS away for free but then have to scramble to find money in obnoxious ways afterward is bizarre to me. It's not like they started this process with zero market share.
They have a total monopoly on OSes able to run Windows software; this is their strong point: write some random software in 1996, still works today. As a result they can quadruple-dip by having users pay for the OS, show them ads, inflict them unwanted products, and (maybe? if they don't now they surely could without repercussions) sell their data. This is what monopolies do.
The versions that are respectful of users are gated behind "being a company" requirement.
(exception of Windows Server but it's kinda messy to setup for gaming. Though it kinda shows that when they have actual competition on a market they do nice things)
Home users generally don't pay for Windows. It comes with their computers and the major version upgrades are free and have been for quite some time; 7→8 (2012) was the last time it wasn't free but 7→10 (2015) was a valid, free upgrade path so most just bypassed 8 entirely (and they were better off for it because 8 sucked). Since Windows 7 was itself released in 2009, most home users haven't paid for Windows upgrades in 16 years.
Yes, having to maintain an OS over multiple years without recurring revenue might be an issue indeed. On my side I wouldn't mind paying a subscription if the OS could respect my choices. But I guess it does not really make sense to provide a subscription that only a very small handful of people would pay.
(I wonder how subscriptions could handle multiple machines; today it often happens that people have multiple computers but subscription cost would quickly add up; I guess they could have different tiers with different allowed concurrent use count)
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
reply